Launchpad itself

XSS in bugtask delete confirmation dialog (and possibly others)

Bug #1057901 reported by Ian Booth
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Launchpad itself
Fix Released
Critical
Ian Booth

Bug Description

The dialog confirmation text when deleting a bugtask has the bug title inserted directly into the HTML.

Related branches

lp:~wallyworld/launchpad/confirmation-dialog-xss-1057901
William Grant: Approve (code)
Diff: 67 lines (+12/-13)
2 files modified
lib/lp/app/javascript/information_type.js (+6/-6)
lib/lp/bugs/javascript/bugtask_index.js (+6/-7)
Revision history for this message
Launchpad QA Bot (lpqabot) wrote :

Fixed in stable r16048 <http://bazaar.launchpad.net/~launchpad-pqm/launchpad/stable/revision/16048>.

tags: added: qa-needstesting
Changed in launchpad:
status: In Progress → Fix Committed
Ian Booth (wallyworld)
tags: added: javascript qa-ok xss
removed: qa-needstesting
William Grant (wgrant)
Changed in launchpad:
status: Fix Committed → Fix Released
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.